Merge "[GWP-ASan] Add sysprop, allow shell and system apps to set it."
diff --git a/private/compat/32.0/32.0.ignore.cil b/private/compat/32.0/32.0.ignore.cil
index 41d3e56..d29a3d3 100644
--- a/private/compat/32.0/32.0.ignore.cil
+++ b/private/compat/32.0/32.0.ignore.cil
@@ -29,6 +29,7 @@
fs_bpf_vendor
game_mode_intervention_list_file
gesture_prop
+ gwp_asan_prop
hal_contexthub_service
hal_camera_service
hal_evs_service
diff --git a/private/property.te b/private/property.te
index 4eba711..63081bf 100644
--- a/private/property.te
+++ b/private/property.te
@@ -415,9 +415,9 @@
libc_debug_prop
}:property_service set;
-# Allow the shell to set MTE props, so that non-root users with adb shell
-# access can control the settings on their device.
-# Allow system apps to set MTE props, so Developer Options can set them.
+# Allow the shell to set MTE & GWP-ASan props, so that non-root users with adb
+# shell access can control the settings on their device. Allow system apps to
+# set MTE props, so Developer Options can set them.
neverallow {
domain
-init
@@ -425,6 +425,7 @@
-system_app
} {
arm64_memtag_prop
+ gwp_asan_prop
}:property_service set;
neverallow {
diff --git a/private/property_contexts b/private/property_contexts
index 9e8fea2..6e694ed 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -726,6 +726,10 @@
libc.debug.malloc.program u:object_r:libc_debug_prop:s0 exact string
libc.debug.hooks.enable u:object_r:libc_debug_prop:s0 exact string
+# GWP-ASan props. Separate from other libc.debug.* props, because we want users
+# to be able to set them from `adb shell` even on release devices.
+libc.debug.gwp_asan. u:object_r:gwp_asan_prop:s0 prefix string
+
# shell-only props for ARM memory tagging (MTE).
arm64.memtag. u:object_r:arm64_memtag_prop:s0 prefix string
persist.arm64.memtag.default u:object_r:arm64_memtag_prop:s0 exact string
diff --git a/private/shell.te b/private/shell.te
index 97fb0b4..c20e612 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -231,3 +231,6 @@
# Allow shell to set persist.wm.debug properties
userdebug_or_eng(`set_prop(shell, persist_wm_debug_prop)')
+
+# Allow shell to write GWP-ASan properties even on user builds.
+set_prop(shell, gwp_asan_prop)
diff --git a/public/domain.te b/public/domain.te
index 0edd887..6258c7a 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -116,6 +116,7 @@
get_prop(domain, exported_secure_prop)
get_prop(domain, exported_system_prop)
get_prop(domain, fingerprint_prop)
+get_prop(domain, gwp_asan_prop)
get_prop(domain, hal_instrumentation_prop)
get_prop(domain, hw_timeout_multiplier_prop)
get_prop(domain, init_service_status_prop)
diff --git a/public/property.te b/public/property.te
index 55d94b8..6024f07 100644
--- a/public/property.te
+++ b/public/property.te
@@ -68,6 +68,7 @@
system_restricted_prop(device_config_runtime_native_prop)
system_restricted_prop(device_config_surface_flinger_native_boot_prop)
system_restricted_prop(fingerprint_prop)
+system_restricted_prop(gwp_asan_prop)
system_restricted_prop(hal_instrumentation_prop)
system_restricted_prop(hypervisor_prop)
system_restricted_prop(init_service_status_prop)